From 89a2a97e18454f69ce1b18cd57936173623d9067 Mon Sep 17 00:00:00 2001 From: Junghyun Yeon Date: Wed, 13 Sep 2017 16:55:40 +0900 Subject: [PATCH] Change bahavior of trust anchor - Trust-anchor certificate file directory has fixed. - Make symbolic link when given pkg type is wgt or hybrid. - When updating wgt/hybrid pkg, previous symlink will be removed. - Register and update trust anchor have integrated. Related changes: [pkgmgr-info] : https://review.tizen.org/gerrit/149784 [wgt-backend] : https://review.tizen.org/gerrit/149978 [tpk-manifest-handlers] : https://review.tizen.org/gerrit/150060 [wgt-manifest-handlers] : https://review.tizen.org/gerrit/150136 Change-Id: Ibdfc760bcb15da324e7237b8b0a5a9103effc129 Signed-off-by: Junghyun Yeon --- .../step/configuration/step_parse_manifest.cc | 6 +- .../step/security/step_register_trust_anchor.cc | 74 ++++++++++++++++++++-- .../step/security/step_register_trust_anchor.h | 11 ++++ .../step/security/step_unregister_trust_anchor.cc | 5 +- .../step/security/step_update_trust_anchor.cc | 52 --------------- .../step/security/step_update_trust_anchor.h | 30 --------- 6 files changed, 80 insertions(+), 98 deletions(-) delete mode 100644 src/common/step/security/step_update_trust_anchor.cc delete mode 100644 src/common/step/security/step_update_trust_anchor.h diff --git a/src/common/step/configuration/step_parse_manifest.cc b/src/common/step/configuration/step_parse_manifest.cc index 767957c..4096878 100644 --- a/src/common/step/configuration/step_parse_manifest.cc +++ b/src/common/step/configuration/step_parse_manifest.cc @@ -756,15 +756,11 @@ bool StepParseManifest::FillTrustAnchorInfo(manifest_x* manifest) { if (!trust_anchor_info) return true; - if (trust_anchor_info->get_certs_dir().empty() || - trust_anchor_info->get_use_system_certs().empty()) { + if (trust_anchor_info->get_use_system_certs().empty()) { LOG(ERROR) << "Invalid trust anchor data"; return false; } - manifest->pkg_certs_dir = - strdup((context_->pkg_path.get() / - trust_anchor_info->get_certs_dir()).c_str()); manifest->use_system_certs = strdup(trust_anchor_info->get_use_system_certs().c_str()); diff --git a/src/common/step/security/step_register_trust_anchor.cc b/src/common/step/security/step_register_trust_anchor.cc index 64d0eb4..0a15d97 100644 --- a/src/common/step/security/step_register_trust_anchor.cc +++ b/src/common/step/security/step_register_trust_anchor.cc @@ -6,13 +6,41 @@ #include #include + #include +#include "common/utils/file_util.h" + namespace common_installer { namespace security { namespace bf = boost::filesystem; +namespace { + +const char kTpkTrustAnchorPath[] = "res/.trust-anchor"; +const char kWgtTrustAnchorPath[] = ".trust-anchor"; +const char kWgt[] = "wgt"; + +bool RemoveWgtTrustAnchorSymLinks(const bf::path& path) { + for (bf::directory_iterator file(path); + file != bf::directory_iterator(); ++file) { + bf::path current(file->path()); + if (bf::is_symlink(symlink_status(current))) + if (!Remove(current)) + return false; + } + return true; +} + +} // namespace + +StepRegisterTrustAnchor::StepRegisterTrustAnchor( + InstallerContext* context, RegisterType register_type) + : Step(context), + register_type_(register_type) { +} + Step::Status StepRegisterTrustAnchor::precheck() { if (!context_->manifest_data.get()) { LOG(ERROR) << "manifest_data attribute is empty"; @@ -23,18 +51,50 @@ Step::Status StepRegisterTrustAnchor::precheck() { } Step::Status StepRegisterTrustAnchor::process() { + int ret; + bf::path pkg_certs_path = context_->pkg_path.get() / kTpkTrustAnchorPath; + if (register_type_ == RegisterType::UPDATE) { + ret = trust_anchor_uninstall(context_->pkgid.get().c_str(), + context_->uid.get()); + if (ret != TRUST_ANCHOR_ERROR_NONE) { + LOG(ERROR) << "Failed to unregister trust anchor. error : " << ret; + return Step::Status::SECURITY_ERROR; + } + + if (!context_->pkg_type.get().compare(kWgt)) { + if (!common_installer::CreateDir(pkg_certs_path)) + return Step::Status::APP_DIR_ERROR; + if (!RemoveWgtTrustAnchorSymLinks(pkg_certs_path)) + return Step::Status::APP_DIR_ERROR; + } + } + manifest_x* manifest = context_->manifest_data.get(); - if (!manifest->pkg_certs_dir && !manifest->use_system_certs) + if (!manifest->use_system_certs) return Step::Status::OK; - if (!manifest->pkg_certs_dir || !manifest->use_system_certs) - return Step::Status::INVALID_VALUE; + if (!context_->pkg_type.get().compare(kWgt)) { + // For wgt package, create + // [pkg_root]/res/.trust-anchor directory and create symbolic link + if (!common_installer::CreateDir(pkg_certs_path)) + return Step::Status::APP_DIR_ERROR; + bf::path pkg_certs_src_path = + context_->pkg_path.get() / "res/wgt" / kWgtTrustAnchorPath; + for (bf::directory_iterator file(pkg_certs_src_path); + file != bf::directory_iterator(); ++file) { + bf::path current(file->path()); + try { + bf::create_symlink(current, pkg_certs_path / current.filename()); + } catch (const bf::filesystem_error& error) { + LOG(ERROR) << "Failed to make trust anchor symlink : " << error.what(); + return Step::Status::APP_DIR_ERROR; + } + } + } - int ret; - bool use_system_certs = - (strcasecmp(manifest->use_system_certs, "true") == 0) ? true : false; ret = trust_anchor_install(context_->pkgid.get().c_str(), - context_->uid.get(), manifest->pkg_certs_dir, use_system_certs); + context_->uid.get(), pkg_certs_path.string().c_str(), + (strcasecmp(manifest->use_system_certs, "true") == 0) ? true : false); if (ret != TRUST_ANCHOR_ERROR_NONE) { LOG(ERROR) << "Failed to register trust anchor. error : " << ret; diff --git a/src/common/step/security/step_register_trust_anchor.h b/src/common/step/security/step_register_trust_anchor.h index a64450d..0822e5d 100644 --- a/src/common/step/security/step_register_trust_anchor.h +++ b/src/common/step/security/step_register_trust_anchor.h @@ -14,6 +14,14 @@ namespace security { class StepRegisterTrustAnchor : public Step { public: + enum class RegisterType { + INSTALL, // Register trust anchor with new package + UPDATE // Update trust anchor with existing package + }; + + explicit StepRegisterTrustAnchor(common_installer::InstallerContext* context, + RegisterType register_type); + using Step::Step; Status process() override; @@ -21,6 +29,9 @@ class StepRegisterTrustAnchor : public Step { Status clean() override { return Status::OK; } Status precheck() override; + private: + RegisterType register_type_; + STEP_NAME(StepRegisterTrustAnchor) }; diff --git a/src/common/step/security/step_unregister_trust_anchor.cc b/src/common/step/security/step_unregister_trust_anchor.cc index 25bc9fe..462e6cb 100644 --- a/src/common/step/security/step_unregister_trust_anchor.cc +++ b/src/common/step/security/step_unregister_trust_anchor.cc @@ -25,12 +25,9 @@ Step::Status StepUnregisterTrustAnchor::precheck() { Step::Status StepUnregisterTrustAnchor::process() { manifest_x* manifest = context_->manifest_data.get(); - if (!manifest->pkg_certs_dir && !manifest->use_system_certs) + if (!manifest->use_system_certs) return Step::Status::OK; - if (!manifest->pkg_certs_dir || !manifest->use_system_certs) - return Step::Status::INVALID_VALUE; - int ret = trust_anchor_uninstall(context_->pkgid.get().c_str(), context_->uid.get()); if (ret != TRUST_ANCHOR_ERROR_NONE) { diff --git a/src/common/step/security/step_update_trust_anchor.cc b/src/common/step/security/step_update_trust_anchor.cc deleted file mode 100644 index fed83db..0000000 --- a/src/common/step/security/step_update_trust_anchor.cc +++ /dev/null @@ -1,52 +0,0 @@ -// Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved -// Use of this source code is governed by a apache 2.0 license that can be -// found in the LICENSE file. - -#include "common/step/security/step_update_trust_anchor.h" - -#include -#include -#include - -namespace common_installer { -namespace security { - -namespace bf = boost::filesystem; - -Step::Status StepUpdateTrustAnchor::precheck() { - if (!context_->manifest_data.get()) { - LOG(ERROR) << "manifest_data attribute is empty"; - return Step::Status::INVALID_VALUE; - } - - return Step::Status::OK; -} - -Step::Status StepUpdateTrustAnchor::process() { - int ret; - manifest_x* manifest = context_->manifest_data.get(); - if (manifest->pkg_certs_dir && manifest->use_system_certs) { - bool use_system_certs = - (strcasecmp(manifest->use_system_certs, "true") == 0) ? true : false; - ret = trust_anchor_install(context_->pkgid.get().c_str(), - context_->uid.get(), manifest->pkg_certs_dir, use_system_certs); - if (ret != TRUST_ANCHOR_ERROR_NONE) { - LOG(ERROR) << "Failed to register trust anchor. error : " << ret; - return Step::Status::SECURITY_ERROR; - } - } else if (!manifest->pkg_certs_dir && !manifest->use_system_certs) { - ret = trust_anchor_uninstall(context_->pkgid.get().c_str(), - context_->uid.get()); - if (ret != TRUST_ANCHOR_ERROR_NONE) { - LOG(ERROR) << "Failed to unregister trust anchor. error : " << ret; - return Step::Status::SECURITY_ERROR; - } - } else { - return Step::Status::INVALID_VALUE; - } - - return Step::Status::OK; -} - -} // namespace security -} // namespace common_installer diff --git a/src/common/step/security/step_update_trust_anchor.h b/src/common/step/security/step_update_trust_anchor.h deleted file mode 100644 index 08d90d0..0000000 --- a/src/common/step/security/step_update_trust_anchor.h +++ /dev/null @@ -1,30 +0,0 @@ -// Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved -// Use of this source code is governed by a apache 2.0 license that can be -// found in the LICENSE file. - -#ifndef COMMON_STEP_SECURITY_STEP_UPDATE_TRUST_ANCHOR_H_ -#define COMMON_STEP_SECURITY_STEP_UPDATE_TRUST_ANCHOR_H_ - -#include - -#include "common/step/step.h" - -namespace common_installer { -namespace security { - -class StepUpdateTrustAnchor : public Step { - public: - using Step::Step; - - Status process() override; - Status undo() override { return Status::OK; } - Status clean() override { return Status::OK; } - Status precheck() override; - - STEP_NAME(StepUpdateTrustAnchor) -}; - -} // namespace security -} // namespace common_installer - -#endif // COMMON_STEP_SECURITY_STEP_UPDATE_TRUST_ANCHOR_H_ -- 2.7.4